Inspired by a community contribution in (Azure/kubelogin#81), it enables a new pattern to access AKS clusters from Github. Instead of creating credential for a service principal and storing it in Github, it utilizes Github's OpenID Connect and Azure Workload Identity Federation to access AKS clusters using AAD/Azure RBAC in a password-free setting.
In setup.sh, these steps are performed:
- Create an AKS cluster with Azure RBAC enabled.
- Create AAD application and service principal.
- Create role assignment to the created AKS cluster using
Azure Kubernetes Service RBAC Cluster Adminrole. - Create federated identity credential using Microsoft Graph api. Note that
audiencehas to beapi://AzureADTokenExchangeand the format ofsubjectclaim.
The sample Github Actions workflow, access-aks.yml, has prerequisites such that below Actions secrets need to be configured:
- AZURE_SUBSCRIPTION_ID is the subscription ID in which AKS cluster resides
- RESOURCE_GROUP_NAME is the resource group in which AKS cluster resides
- AKS_NAME is the AKS cluster name used in Environment setup
- AZURE_TENANT_ID is Azure AD tenant ID
- AZURE_CLIENT_ID is the appID created in Environment setup
This workflow performs these steps:
- Az login using workload identity federation
- Get kubeconfig
- Get kubelogin
- Convert kubeconfig into exec plugin format with workload identity support
- Get id-token and save to a file
- Run kubectl
- Profit!
